AuthAnvil Override Options

Most AuthAnvil agents support an override mechanism of some sort, with the procedure for adding a user varying depending on the agent.

Windows Logon Agent/Credential Provider

It is possible to assign a user to a Local or Active Directory Security Group which our agent will honor. If someone is a member of that group, they will not be required to enter their AuthAnvil passcode. They can leave that field blank.

During installation the Active Directory Override Group is defined by the by the person running the installer (Default: AuthAnvilOverride). It is the responsibility of the Local or Domain administrator to create this Security Group and assign users as required by their corporate security policy if you wish to use this feature. After installation, the override group can be set using the AuthAnvil Logon Config control panel in the Windows control panel.

RWWGuard 2003

In the “AuthAnvil Settings”, click “Exception List”. The exception list is designed to override the default behaviour of RWWGuard for certain users. If “Force OTP Auth” is enabled, everyone will have to provide an OTP Passcode except for those on the exception list. If “Force OTP Auth” is NOT enabled, then only the users in the exception list are required to do so.

RWWGuard 2008/2011

RWWGuard is configured by using the RWWGuard configuration utility, located at Start > All Programs > Scorpion Software > RWWGuard > Configure RWWGuard. In this utility you can define the Active Directory Security Group Exception List that RWWGuard 2008/2011 uses to determine who is required to provide AuthAnvil credentials. You can also define whether authentication is “Required only for users in the exception list”, or for users not in the exception list.

Kaseya Logon Agent

VSA R7- Newer

You will need to disable the 2FA logon requirement in the ksubscribers dbo.AA_Settings table. Change the value of TFALogonDisabled from 0 to 1.

VSA v6.5 - older

In the AuthAnvil\inc\AuthAnvil.asp file there are several whitelist variables defined:

The usersNotRequiring2FA variable is a comma separated list of usernames that needs to match the users’ Kaseya username.

The ipWhiteList variable is a comma separated list of IP subnets in CIDR format. ie: 192.168.1.0/24. This feature will only work if the computers are communicating with the Kaseya server via IPv4. It does not recognize IPv6 addresses.

The userWhiteListRequires2FA variable allows you to toggle whitelist modes. If it is set to true, only users in the whitelist will be required to authenticate using two factor authentication. If it is set to false, all users except those in the whitelist will be required to authenticate using two factor authentication (the default behavior).

Kaseya Addin

VSA R7- Newer

You will need to disable the 2FA logon requirement in the ksubscribers dbo.AA_Settings table. Change the value of TFALogonDisabled from 0 to 1.

VSA v6.5 - older

The Kaseya Addin uses a whitelist functionality which can be found in the AuthAnvil tab under Server Settings -> Configure Kaseya Logon, the settings of which are configured identically to the kaseya Logon Agent (see above) The addin can be configured to require two-factor authentication from all users except those in the whitelist, or to require two-factor authentication from ONLY the users in the whitelist.

By default, the Addin will require 2FA from all users except those in the whitelist, but this can be changed by modifying a setting in the database.

You may either your favorite SQL management tool, or the SQLCMD command line utility that ships with SQL Server 2005 and later. To use SQLCMD:

Open a Command Prompt

Run the command sqlcmd -s KASEYA2\SQLEXPRESS (where KASEYA2\SQLEXPRESS is the path to your SQL server).

Once connected, you will see a 1> prompt. Run the command: UPDATE ksubscribers.dbo.AA_Settings SET Data = 1 WHERE Setting = ‘userWhiteListRequires2FA’

Next, you will see a 2> prompt. Type GO and hit enter.

You should see the result: (1 rows affected). Type exit and hit enter.

To reverse the setting to not require 2FA from the Whitelisted Users list, use the same process, running the SQL command: UPDATE ksubscribers.dbo.AA_Settings SET Data = 0 WHERE Setting = ‘userWhiteListRequires2FA’

LPI Logon Agent

In the AuthAnvil.config file in the C:\Program Files\Level Platforms\Service Center\SC\ directory, there are several whitelist settings defined:

The UserWhitelist setting is a comma separated list of usernames that needs to match the users’ LPI usernames.

The IPWhitelist setting is a comma separated list of IP subnets in CIDR format. ie: 192.168.1.0/24. This feature will only work if the computers are communicating with the LPI server via IPv4. It does not recognize IPv6 addresses.

The UsersWhitelistRequires2FA setting toggles the logon behavior between requiring all users to provide an AuthAnvil credential except those in the whitelist (False) and requiring only the users in the whitelist to provide an AuthAnvil credential (True).

RD Web Access Logon Agent

In the RD Web Access Login.aspx page located at C:\Windows\Web\RDWeb\Pages\en-US\login.aspx there are several whitelist settings defined:

The UserWhitelist setting is a comma separated list of usernames that needs to match the users’ LPI usernames.

The IPWhitelist setting is a comma separated list of IP subnets in CIDR format. ie: 192.168.1.0/24. This feature will only work if the computers are communicating with the LPI server via IPv4. It does not recognize IPv6 addresses.

The UsersWhitelistRequires2FA setting toggles the logon behavior between requiring all users to provide an AuthAnvil credential except those in the whitelist (False) and requiring only the users in the whitelist to provide an AuthAnvil credential (True).